Twiki Perl Code Execution

Twiki Perl Code Execution: Posted Oct 10, 2014; Authored by Peter Thoeny; The debugenableplugins request parameter in Twiki versions 4.x, 5.x, and 6.0.0 allows arbitrary Perl code execution.; tags | exploit, arbitrary, perl, code execution; advisories | CVE-2014-7236; SHA-256 | 7e6bafc3f4e27a15de8ac1ae847247abec86cca045f3b86848aeae7d24f79d02; Download | Favorite | View

Twiki Perl Code Execution

This is an advisory for TWiki administrators: The debugenableplugins request parameter allows arbitrary Perl code execution.

TWiki ( http://twiki.org ) is an Open Source Enterprise Wiki and Web Application Platform used by millions of people.

   * Vulnerable Software Version
   * Attack Vectors
   * Impact
   * Severity Level
   * MITRE Name for this Vulnerability
   * Details
   * Countermeasures
   * Hotfix for TWiki Production Release 6.0.0
   * Hotfix for Older Affected TWiki Releases
   * Verify Hotfix
   * Authors and Credits
   * Action Plan with Timeline
   * External Links
   * Feedback

---++ Vulnerable Software Version

   * TWiki-6.0.0 (TWikiRelease06x00x00)
   * TWiki-5.1.x (TWikiRelease05x01x00 to TWikiRelease05x01x04)
   * TWiki-5.0.x (TWikiRelease05x00x00 to TWikiRelease05x00x02)
   * TWiki-4.3.x (TWikiRelease04x03x00 to TWikiRelease04x03x02)
   * TWiki-4.2.x (TWikiRelease04x02x00 to TWikiRelease04x02x04)
   * TWiki-4.1.x (TWikiRelease04x01x00 to TWikiRelease04x01x02)
   * TWiki-4.0.x (TWikiRelease04x00x00 to TWikiRelease04x00x05)

---++ Attack Vectors

Using an HTTP GET request towards a TWiki server, add a specially crafted 'debugenableplugins' request parameter to TWiki's view script (typically port 80/TCP). Prior authentication may or may not be necessary.

---++ Impact

A remote attacker can execute arbitrary Perl code to view and modify any file the webserver user has access to.

---++ Severity Level

The TWiki SecurityTeam triaged this issue as documented in TWikiSecurityAlertProcess [1] and assigned the following severity level:

   * Severity 1 issue: The web server can be compromised 

---++ MITRE Name for this Vulnerability

The Common Vulnerabilities and Exposures project has assigned the name CVE-2014-7236 [7] to this vulnerability. 

---++ Details

It is possible to execute arbitrary Perl code by adding a =debugenableplugins= parameter with a specially crafted value. Example:

http://www.example.com/do/view/Main/WebHome?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The TWiki site is vulnerable if you see a page with text "Vulnerable!".

__Background:__

TWiki allows enabling specific plugins for debug purposes using a 'debugenableplugins' parameter that lists the plugins to enable. In order to support this dynamic loading of plugins, TWiki inserts the plugin name into the following Perl =eval= statement without sanitizing the plugin name:
<verbatim>
my $p = $this->{module};
eval "use $p;";
</verbatim>

---++ Countermeasures

   * Apply hotfix (see patch below).
   * Upgrade to the latest patched production release TWiki-6.0.1 (TWikiRelease06x00x01) [2]

---++ Hotfix for TWiki Production Release 6.0.0

Apply the patch listed in the TWiki bug item at TWikibug:Item7558 [8]. The patch is also listed here, but due to whitespace changes in e-mail it is not recommended to use below patch.

NOTE: In case you use a Perl accelerator make sure to clear the script cache. For example, in case of SpeedyCGI remove the speedy cache (tmp/speedy.*) before restarting Apache.

Affected file: twiki/lib/TWiki/Plugins.pm

Patch to sanitize the 'debugenableplugins' parameter:

=======( 8>< CUT )===============================================
--- TWiki/Plugins.pm.save1   2014-01-09 02:10:56.000000000 -0500
+++ TWiki/Plugins.pm   2014-10-01 20:30:36.000000000 -0400
@@ -186,8 +186,11 @@
 
     unless( $allDisabled ) {
         if ( $query && defined( $query->param( 'debugenableplugins' ))) {
-            @pluginList = split( /[,\s]+/,
-                                 $query->param( 'debugenableplugins' ));
+            @pluginList =
+              grep { /Plugin$/ }
+              map { s/[^a-zA-Z0-9]//go; $_ } # Item7558: Sanitize parameter
+              split( /[,\s]+/, $query->param( 'debugenableplugins' ));
+
         } else {
             if( $TWiki::cfg{PluginsOrder} ) {
                 foreach my $plugin( split( /[,\s]+/,
=======( 8>< CUT )===============================================

---++ Hotfix for Older Affected TWiki Releases

Apply above patch (line numbers may vary).

---++ Verify Hotfix

To verify the patch add the following parameter to any TWiki topic:

?debugenableplugins=BackupRestorePlugin%3bprint("Content-Type:text/html\r\n\r\nVulnerable!")%3bexit

The site is vulnerable if a page is returned with text "Vulnerable!"

---++ Authors and Credits

   * Credit to Netanel Rubin (netanelr[at]checkpoint.com) for disclosing the issue to the twiki-security@lists.sourceforge.netmailing list
   * PeterThoeny for creating the fix, patch and advisory
   * HideyoImazu for creating the TWiki-6.0.1 production release [2]

---++ Action Plan with Timeline

   * 2014-10-01 - Netanel Rubin of Check Point Software discloses issue to TWikiSecurityMailingList [4]
   * 2014-10-01 - developer verifies issue - PeterThoeny
   * 2014-10-01 - developer fixes code - PeterThoeny
   * 2014-10-05 - developer creates new TWiki-6.0.1 patch release [2] with fix - HideyoImazu
   * 2014-10-06 - security team creates advisory with hotfix - PeterThoeny
   * 2014-10-07 - send alert to TWikiAnnounceMailingList [5] and TWikiDevMailingList [6] - PeterThoeny
   * 2014-10-09 - publish advisory in Codev web and update all related topics - PeterThoeny
   * 2014-10-09 - issue a public security advisory to fulldisclosure[at]seclists.org, cert[at]cert.org, vuln[at]secunia.com, bugs[at]securitytracker.com, submissions[at]packetstormsecurity.org - PeterThoeny

---++ External Links

[1]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityAlertProcess
[2]: http://twiki.org/cgi-bin/view/Codev/TWikiRelease06x00x01
[3]: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 (will be created on 2014-10-09)
[4]: http://twiki.org/cgi-bin/view/Codev/TWikiSecurityMailingList
[5]: http://twiki.org/cgi-bin/view/Codev/TWikiAnnounceMailingList
[6]: http://twiki.org/cgi-bin/view/Codev/TWikiDevMailingList
[7]: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7236 - CVE on MITRE.org
[8]: http://develop.twiki.org/~twiki4/cgi-bin/view/Bugs/Item7558

---++ Feedback

Please provide feedback at the security alert topic, http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2014-7236 once it exists (this topic will be created on Mon, 2014-10-09).

Please send an e-mail to twiki-security@lists.sourceforge.net if you have any questions before Monday.

-- Peter Thoeny - 2014-10-09


--
> Peter Thoeny     - Peter09[at]Thoeny.org
> http://bit.ly/MrTWiki - consulting on enterprise collaboration
> http://TWiki.org - is your team already TWiki enabled?
> Knowledge cannot be managed, it can be discovered and shared
> This e-mail is:   (_) private    (_) ask first    (x) public

Top Authors In Last 30 Days

Red Hat 221 files
Ubuntu 59 files
Debian 30 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 9 files
Apple 6 files
Milad Karimi 5 files
Google Security Research 5 files
tmrswrr 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,298)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,550)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,453)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Twiki Perl Code Execution

Twiki Perl Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Twiki Perl Code Execution

Share This

Twiki Perl Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems